[foaf-protocols] WebID breakthrough - pure Javascript+Flash implementation

Kingsley Idehen kidehen at openlinksw.com
Tue Aug 10 22:21:57 CEST 2010

Bruno Harbulot wrote:
> Hi Kingsley,
> On 09/08/10 21:03, Kingsley Idehen wrote:
>> What do you mean by as easy to use as keygen? I don't believe there is a
>> fundamental difference here since I have a single button for making the
>> Cert. and another button for saving the Cert. to ones data space and
>> then a check-box to enable WebID protocol based authentication. Can't be
>> any simpler that than as long as the user interaction delivers context
>> to the user.
>>> Perhaps someone with Internet Explorer can make a screen cast of 
>>> creating a certificate there (no need to do the account creation bit).
>> What do you think I did?
>> My next screencast will simply use Internet Explorer in exactly the same
>> way I did Safari. In both cases you click a single button and a Cert. if
>> produced and persisted to the Windows OS Cert Manager.
>>> If there are issues we need to try to find out how we can reduce 
>>> them there.
>> You need to understand Windows security and PKI to get this to work. If
>> it was easy there would be a boat load of implementations.
>> Bruno: I run IE and every other known browser across a cocktail of
>> platforms. Can I use your system to product a Cert. that works with IE?
>> I am going to try your link anyhow.
> You can check out the code at 
> <http://github.com/harbulot/keygenapp/tree/71e30f7e4e79e170cf52b839078bdb48b58de0a0/samplewebapp/src/main/webapp>. 
> (I think Henry has made a few tweaks in his GitHub repository.)
> The JS could be modified a bit to be less dependent on the HTML page 
> from which it's loaded (it replaces the keygen tag in the DOM when 
> it's IE) (see 'configurePage()' function).
> Apart from this, these are JavaScript/ActiveX calls to the OS API, so 
> it's using the OS certificate store (which IE uses).
> The main problem was that this is not dependent on the version of IE, 
> but on the version of the OS (mainly XP/2003 and Vista/2008/7), but 
> this script supports both CertEnroll and XEnroll.
> It's meant to behave as closely as possible to the keygen behaviour.
> I'm curious to know how you got around this:
>> * Add this site to the Trusted Sites list: in Internet Options -> 
>> Security -> Trusted Sites -> Sites -> Add ...
>> * You may need to configure the trust level (in this tab), using 
>> Custom Level...: enable Initialize and script ActiveX controls not 
>> marked as safe for scripting.
>> * If you are using Windows Vista without SP1 or above, you will 
>> probably need to install this certificate as a Trusted Root 
>> Certification Authority Certificate for your own certificate 
>> installation to succeed. You should probably remove that trusted root 
>> CA certificate afterwards.
> What's your one-click wizard written in and how is it launched?

"one click" wizard is written using C# and .NET. The wizard is signed 
which is mandatory for "one click" apps.

Making the root CA cert. and registering with the Cert. Manager DB  
prior to actual Personal Cert. generqtion is essential for Windows to 
work otherwise the Certs. you generate will be rejected.

> Best wishes,
> Bruno.



Kingsley Idehen	      
President & CEO 
OpenLink Software     
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen 

More information about the foaf-protocols mailing list